1. Identifying DNS heavy hitters in root servers data Minas Gjoka CAIDA University of California, Irvine

2. Motivation/Goals Percentage of invalid traffic huge (~98%).  Anycast deployment alleviates the problem at extra cost Goals  Characterize the sources of invalid traffic.  Identify solutions that could reduce traffic in the components of the DNS architecture

3. Categorization of generated invalid traffic

4. Results and work in-progress Blacklists Interarrival time Behavioral analysis Future work

5. Blacklists & DNS traffic Do prefixes/ASes which contain the IPs listed in DNSRBLs contribute unwanted DNS traffic also?  Misconfiguration  Malicious activity

6. Historical data from blacklists Spamhaus*  XBL – IPs of hijacked PCs infected by illegal 3rd party exploits  SBL - IPs of spam sources and spam operations  PBL - IP space assigned to broadband/ADSL customers. UCEProtect*  IPs of spam sources DShield*  Firewall logs – top 10000 IPs * made available to us by Athina Markopoulou

7. Testing for correlation Rank BGP prefixes/ASes.  IPs present in blacklist  IPs or aggregated queries from DNS DITL data Increasing IP address space order.

8. Spamhaus XBL Ranked by IPs in blacklist

9. Spamhaus XBL Ranked by DNS queries to Roots

10. DNS Roots vs Spamhaus XBL Cumulative Fraction of IPs

11. What about the other blacklists? Spam – Spamhaus SBL/UCEProtect  similar output in BGP prefix/AS aggregation level Trying out other aggregation levels also.

12. Another use of DNSRBL Spamhaus PBL contains IP ranges assigned to Broadband/ADSL customers.  Participating ISPs  Spamhaus seeded with NJABL/dynablock zone DNS clients sending requests to the root  10%-44% belong to the PBL advertised ranges Up to 44% of the sources are Broadband/ADSL customers

13. Characteristics of invalid queries Identical, repeated and referral-not-cached invalid queries constitute 73% in DITL 2008. Calculate interarrival time for the same query (domain name, type, class) received.

14. Interarrival time Identical/Repeated/Referral-not-Cached

15. Requested zone names Aggregated a.b.c.d.e.com. c.d.e.com. Aggregation Example

16. Top-10 most requested Requested Query NamePercentage com19.66 net17.26 dynamic.163data.com.cn3.68 165.222.in-addr.arpa3.67 240.124.in-addr.arpa1.95 org1.56 de1.38 edu1.38 ru1.10.0.89 Why? Possible explanations: Aggressive requerying for delegation information Ingress filtering Poorly configured or maintained zones

17. Behavior of DNS Resolvers Wessels et al : Measurements and Laboratory simulations of the upper DNS Hierarchy  Tested effect of network delay/loss to the root servers Extend the tested configurations

18. Simulation setup

19. Behavior of DNS Resolvers (2) Goals  Quantify the load of tested misconfigurations to the root server  Characterize a well-behaved DNS resolver  Patterns of misbehaving DNS resolvers Plans to test:  Other plausible network configurations  Zone configurations Lame Delegation  Negative caching Configurations at resolvers/cachers and zones  Local DNS configurations  Additional configurations from RFC 4697 - Observed DNS Resolution Misbehavior

20. Other future work Focus on heavy hitters ( >10queries/sec) Interarrival time  Per client  Per prefix/AS Extract patterns of invalid queries

21. Thank you